Half (52 per cent) of new malware strains only stick around for 24 hours or less.

The prevalence of short lived variants reflects a tactic by miscreants aimed at overloading security firms so that more damaging strains of malware remain undetected for longer, according to a study by Panda Security.

The security firm, based in Bilbao, Spain, detects an average of 37,000 new viruses, worms, Trojans and other security threats per day. Around an average of 19,240 spread and try to infect users for just 24 hours, after which they become inactive as they are replaced by other, new variants.

Virus writers - increasingly motivated by profit - try to ensure their creations go unnoticed by users and stay under the radar of firms. It's now become common practice for VXers to review detection rates and modify viral code after 24 hours. The practice goes towards explaining the growing malware production rate.

Luis Corrons, technical director of PandaLabs, explained: "This is a never-ending race which, unfortunately, the hackers are still winning."

"We have to wait until we get hold of the malware they have created to be able to analyse, classify and combat it. In this race, vendors that work with traditional, manual analysis techniques are too slow to vaccinate clients, as the distribution and infection span is very short."

This is nothing new, of course, and anyone familiar with the Storm/Nuwar exploits (2 years ago) will remember that the binary code changed more often than once per day. See some references below.

The article appears in The Register, and I wonder what audience it's aimed at. Certainly not those who follow security, for it's quickly dismissed since it offers nothing really new, nor anything useful for protection. To wit,

"This is a never-ending race which, unfortunately, the hackers are still winning."

Click to expand...

Well, maybe not, unless you are part of the audience, the group of people, who are not informed and most likely to depend on AV as your sole protection. Hence, the dire warning about lack of AV detection would definitely make an impact. These people will become more afraid due to the tone of the article.

However, those who work to help people become informed know to explain the two basic attack vectors for malware.

Those that circumvent the browser (drive-by attacks) -- these are easily handled by explaining proper browser configuration, and having security in place to intercept the drive by attempt to download the malware.

Those that depend on tricking the user to download/install. It's amazing to realize that the success of Storm creating botnets of millions of people was due mainly to the victims clicking on a link,

​

then, agreeing to open an executable file to view a Valentine Card.

​

However, as long as these writers limit their sources to AV security people, nothing of any real use will come of their articles, since they are stuck in that mode of thinking. Rarely do they offer any in depth thinking about prevention and basic security procedures. Too bad, for such a general audience could benefit from some simple explanations. All they are given, however, is a hope for the cloud-based stuff:

Panda's cloud-based Collective Intelligence approach made its technology more agile, thereby reducing the risk window. Other security vendors, including Trend and McAfee, are also adopting cloud-based architectures to deal with the same problem of growing malware production rates.

"We're continuing to see variations of the storm malware, and what's particularly concerning is the rate at which e-greeting cards are going out, because they have become the primary means of infection," he said.

The domain appears to be registered through nic.ru and hosted on a fast-flux network of at least 1000 nodes... the binary changes approximately every 15 minutes; supposedly updating the peer-list used by the P2P network that the bot-net uses for command and control.